Declaration of conformity
European regulation on the protection of personal data (GDPR)
As of May 17, 2018
As a subcontractor, our company undertakes to comply with the regulations the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 applicable as of May 25, 2018 (hereinafter, “the European Data Protection Regulation”) and the amended Data Protection Act.
The purpose of this declaration is to establish a description of the minimum and sufficient guarantees with regard to the technical and organizational security measures requested by the CNIL in its GDPR Subcontractor Guide:
For several years, CDS Groupe has been engaged in an internal information system security management process. A few months ago, we integrated into this process the “GDPR compliance” for all the data that we collect for our own account but also within the framework of our processing as a subcontractor.
To date, our service offer complies with European data protection legislation. We continue to constantly improve data security through a cycle of continuous improvement and in particular the review and legal validation currently in progress of certain legal notices present on our tools, websites, forms, prospectuses and general conditions of sale.
PILOT AND DATA PROTECTION OFFICER (DPO)
For any request related to our compliance and data processing, you can contact Mr. Antoine LAUREAU, external DPO at his address email@example.com
OBLIGATION OF TRANSPARENCY AND TRACEABILITY
- CDS Groupe provides a system that facilitates hotel room reservations. We are therefore required to process personal data through this system. However, CDS Groupe will never use these contents for its own needs, nor sell them, nor transfer them to a third party.
- All our tools processing personal information are fully stored and located in France either in our Data Centers located in “Clichy (92) and Saint Denis (93)” or in our offices located in “Saint Cloud (92)”
- Our technical and service providers through which our IT flows can pass are either French or large groups themselves respecting the GDPR with guaranteed data storage in Europe (ECRITEL and Google).
- The personal data that you import into our tools are not subject to any processing that may exceed the simple purpose of hotel reservation.
- We guarantee that no processing or algorithm of the “big-data” type is applied to your data and that no process processes, aggregates, combines, mixes, exploits or takes advantage in any way of your data and those of our other customers. We guarantee that no processing or algorithm of the “big-data” type is applied to your data and that no process processes, aggregates, combines, mixes, exploits or takes advantage in any way of your data and those of our other customers.
- All global statistics that may be produced by our company for the purpose of communication or press relations are fully anonymized and globalized.
DATA PROTECTION BY DESIGN
For more than 17 years, we have put in place numerous protection elements to prevent access to your data by third parties or robots.
1. These protections can be material (firewall, proxy, closed network, regular renewal of our workstations and servers, etc.)
2. These protections may be of a methodological nature (integration of various layers of security and tests during our development phases, use of monitoring tools, daily and incremental backups, use of SSL/HTTPS security standards on all our tools including email exchanges)
3. These protections can be of a software nature (use of anti-virus, updating and regular renewal of our software licenses, choice of tools or French or European modules if necessary)
4. These protections can also be structural (supply of hardware and encrypted VPN links for our teleworkers, choice of a quality Data justify)
SECURITY AND PRIVACY
- All our tools offer to import, extract and/or erase your data in the event of breach of contract or migration from or to a competitor
- We have appointed a Data Protection Officer (DPO) to deal with GDPR obligations in the context of our commercial and technical relations
- Our employees are trained in data protection and subject to an obligation of confidentiality
- Any access to your data by our employees, is done only on your request or for legal and administrative reasons (mainly accounting)
DATA STORAGE DURATION
- 3 years and 45 days after the end of a contract, a set of processes come to purge the data. Some purge work is part of our “Compliance”, in particular the purge of data stored in our internal tools such as our ticketing tool, our backups or our logs.
- Any customer can also on his own initiative request a purge of his data. This purge will lead to the possibility of making future reservations. Only the data strictly necessary for a tax or legal control is kept.
- Any customer or contact who has exchanged data with our company can make an explicit request to delete their data from our Data Protection Officer (DPO).
All our tools offer to extract your data in a readable and standardized format in the event of breach of contract or migration to a competitor.
ASSISTANCE, ALERTS AND ADVICE
- In the event of a leak or theft of data, we are ready to cut off all public access to our tools and, if necessary, to cut off physical access to our network if computer access is corrupted or no longer controllable remotely.
- In the event of a leak or theft of data, our DPO is prepared to declare the initial incident to the CNIL and its additional follow-up within 72 hours as provided for by the European regulation on data protection and to alert our customers by any functional means in our possession
- Finally, we are insured by an insurance called “RC Pro” with AXA which includes a component against cyber risk.
This declaration of compliance as a subcontractor does not exempt our end customers from bringing themselves into compliance with the GDPR and in particular from controlling the flow of people accessing our tools, using strong passwords. , to put in place all the physical and software protections necessary to secure their data, whether incoming or outgoing, and of course not to lie about the origin of their data collection, not to misuse our tools for reprehensible operations and to follow our ethical and technological recommendations